5 Critical
0 High
0 Medium
0 Low
5 Total
64 IOCs
10 Sources
Critical
Supply Chain
Mini Shai-Hulud compromises npm and PyPI packages
Ongoing TeamPCP-linked campaign compromising npm and PyPI packages with credential-stealing payloads targeting developer and CI/CD secrets.
npm CAP / Cloud MTA Build Tool
6d ago
High
5
2
Active
› Critical
Supply Chain
Checkmarx Jenkins AST plugin compromised via marketplace release
Malicious Checkmarx Jenkins AST plugin 2026.5.09 was available through the Jenkins Marketplace and executed through normal plugin lifecycle hooks.
Jenkins Marketplace Jenkins AST Scanner plugin
9d ago
High
15
2
Mitigated
› Critical
Supply Chain
Malicious @bitwarden/cli npm package steals developer and cloud credentials
Typosquatted @bitwarden/cli@2026.4.0 targeted developer workstations and CI/CD pipelines, harvesting secrets and attempting worm-like propagation.
npm Bitwarden CLI
26d ago
High
5
2
Mitigated
› Critical
Supply Chain
Axios npm maintainer compromise delivers cross-platform RAT
Compromised Axios releases 1.14.1 and 0.30.4 added the malicious plain-crypto-js dependency to fetch cross-platform RAT payloads.
npm Axios HTTP client
Mar 31
High
26
2
Mitigated
› Critical
Supply Chain
TeamPCP compromises Trivy and expands across security tooling
TeamPCP weaponized trusted Trivy distribution channels and related CI/CD tooling to harvest credentials and exfiltrate encrypted archives.
Aqua Security Trivy
Mar 19
High
13
2
Active
›